Security Advisory
RSA BSAFE Crypto-C Micro Edition vulnerabilities (CVE-2019-3728 and CVE-2019-3733) and VanDyke VShell Server for Windows
Risk assessment: Medium-High (see below)
Posted: April 26, 2022
Description
The VanDyke VShell Server for Windows uses RSA BSAFE Crypto-C Micro Edition for cryptography.
(CVE-2019-3728) Versions of RSA BSAFE Crypto-C Micro Edition versions prior to 4.1.4 are vulnerable to a Buffer Over-read vulnerability when processing DSA signatures. A malicious remote user could potentially exploit this vulnerability to cause VShell to crash, leading to a denial of service. [High severity]
(CVE-2019-3733) Versions of RSA BSAFE Crypto-C Micro Edition prior to 4.1.4 are vulnerable to three Improper Clearing of Heap Memory Before Release vulnerabilities, also known as “Heap Inspection vulnerabilities”. A malicious remote user could potentially exploit this vulnerability to extract information leaving data at risk of exposure. [Medium severity]
Products Not Affected
- VShell 4.7 and newer versions for Windows
- VShell for macOS and Linux
Products Affected
- VShell 4.6.3 and earlier versions for Windows
Recommended Solution
Upgrade to VShell 4.7 or newer versions for Windows
Vulnerability Fix Downloads
Official Postings
https://nvd.nist.gov/vuln/detail/CVE-2019-3728
https://nvd.nist.gov/vuln/detail/CVE-2019-3733
Revision History
April 26, 2022 – Security Advisory Published
